The president has deemed it so, but trusting the NSA to stop collecting communications information is no longer possible

InfoWorld|Jan 20, 2014

President Obama has said he is reforming the NSA practice of acquiring and storing telephone call metadata, and the NSA will no longer collect and store bulk data. Forgive me if I find that both doubtful and frankly unhelpful. You don't put this cat back in the bag. Once these practices have begun and the infrastructure has been built to facilitate this data gathering, it doesn't simply stop.

Some may say it has stopped, they might even order it stopped, but there's no possible way to verify it has in fact stopped. Remember, not even Congress knew about much of the data-gathering practices of the NSA. I think it's a guarantee that nobody knows the full range of what the NSA has built, much less what it can capture and view.

As I discussed last week, we've entered into a post-security world. From this day forward, we must assume that all of our computing systems are compromised. We can never certify that anything is completely secure, not even airgapped systems. We cannot trust any hardware or hardware vendor, nor can we trust any proprietary software or software vendor.

It's not necessarily because the vendor itself is knowingly providing backdoors, though that has clearly happened in many cases. Rather, it's proven far too easy for certain domestic and foreign agencies to slip backdoors into just about anything or to have already compromised encryption standards and security certificates. It's all gone, and it's never coming back.

While the president might promise that these programs are being "transitioned" or even mothballed, it's impossible to trust that it's so. The specific practice of bulk collecting data on millions of American's phone calls is a small part of what we now know the NSA has been doing. We haven't heard anything about the NSA ceasing the practice of siphoning data between Google data centers, for instance, or no longer collecting massive amounts of general Internet traffic and storing it for later perusal. It would be basically pointless for those claims to be made, even if they were actually true. There is no way to verify it.

Anyone can point to an empty room and say all the gear used to store, say, every piece of email from Yahoo's servers is now gone, and data has been destroyed. Beyond that empty room may be dozens more with storage arrays humming away, containing that very data. No audit could ever be conducted to completely verify that claim. The scope and scale of the NSA's actions have permanently destroyed security and privacy across the globe.

All of this may have one very positive outcome, however: Never has the case been stronger for open source software. If we pass through this period of uncertainty properly, we may see a significant surge in the use of open source, due specifically to the fact it can be trusted. I'd expect a rise in the use of open source firewalls like pfSense, as well as open source switching, storage solutions, operating systems, the whole works. Considering the NSA revelations alongside the impending demise of Windows XP support from Microsoft, and the lackluster uptake of Windows 8 may actually jolt desktop Linux into a larger market share, especially in the corporate world.

Ideally, most of those motions will come from CSOs and security pros. They've been thrown under the bus by the NSA and can't claim that their networks are secure. They can't guarantee anything unless they can see the code in use everywhere and have verified it's not backdoored. All their commercial tools must be assumed to be compromised unless proven otherwise -- and it's impossible to prove it otherwise.

Any government can claim it's no longer collecting phone call data or Internet traffic data or any other form of communications information. But it doesn't really matter anymore because it can never be believed or verified. The world has a clear choice now: Either allow random groups of people to access all of your business and personal information at any time without your knowledge, or build new ways to make sure that does not and can not happen. I think the latter is the more likely scenario.